Stealthy Tracking of Autonomous Vehicles with Cache Side ... · Stealthy Tracking of Autonomous...

Stealthy Tracking of Autonomous Vehicles with Cache Side Channels

Mulong Luo, Andrew C. Myers, G. Edward SuhCornell University29th USENIX Security Symposium 2020

Photos, illustrations, graphics here.

Cornell University

2

Privacy in Cyber-Physical Systems (CPS)• Autonomous vehicles and other CPS (e.g.

UAV) are widely used

• Privacy in CPS involves in physical information (e.g., location)

• CPS as computer systems, are vulnerable to cache side-channel attack

Autonomous cars 1

UAV 2

1. waymo.com2. dji.com

Cornell University

3

• We identified CPS as victims that can expose physical privacy information– Traditional victims of cache side-channel attack usually leaks

non-physical information (e.g., crypto keys)

• We showed adaptive algorithms whose computation depends on inputs in CPS are vulnerable to cache side-channel attack

• We demonstrated a concrete example of cache side-channel attack on autonomous vehicles for route prediction

Main Contributions


Cornell University

4

Threat Model• Attack software shares

computer with victim software on the vehicle under attack

• Attack software has no permission to access location service (e.g., GPS)

• Attack software uses cache side-channel attack to infer the route of the vehicle from a set of known routes

Hospital

Airport

Restaurant

Attack software

CacheComputer

Home

Victim software GPS

Denied!


Cornell University

5

Autonomous Vehicle Systems• Main components

– Sensors– Actuators– Computer

• Major navigation tasks– Estimation/localization

software– Control/decision software

GPS driver

Lidardriver

Controllerdriver

State estimation

Path planning

Collision avoidance

LTE/5Gdriver

Info-tainment

Video recording

Onboard computer

Navigation stack

OS kernel space

Utility stack

Remote control server

Cameradriver

GPS receiver

Lidar

Camera

LTE/5GAthena

Steering controller

Throttlecontroller

Brakecontroller

Sensors/Info collectors Actuators/command executors

USB/PCIe/GPIO/CAN

Syscalls

Cornell University

6

• Adaptive Monte-Carlo Localization (AMCL): memory access pattern is affected by the physical sensor inputs

• Cache side-channel attack is used to extract the memory access patterns

• Machine learning (ML) models are used to infer the number of AMCL samples and the route of the vehicle

Attack Outline

AMCL MLCache side channel

ML

Mem

ory

acce

ss

Sens

or

input

#AM

CL

sam

ples

Predict

ed

route


Cornell University

7

Adaptive Monte-Carlo Localization (AMCL)• Input: sensor image, and a map• Output: location on the map• Process:

– Randomly sample locations on the map, calculate the similarity with the sensor image

– Use k-means to find cluster center• Adaptivity: the number of samples varies

adaptively depending on uncertainty1

– High curvature (uncertainty) à more AMCL samples à more memory access

Sensor image

10%

90%

30%

map

80 100 120 140 160time (s)

0

5000

10000

15000

Numb

er of

partic

les

0

2

4

6

8

10

Curva

ture o

f the t

race

(1/m

)

10 5

time (s)

Num

ber o

f AM

CL

sam

ples

Cur

vatu

re (1

/m)

1.D. Fox. Adapting the sample size in particle filters through KLD-sampling. IJRR, 22(12):985–1003, 2003.

Cornell University

8




Attack Outline


ML

Mem

ory

acce

ss

Sens

or

input Pred

icted

route#AM

CL

sam

ples


Cornell University

9

Cache Side-Channel Attack• Sharing of cache• Memory accesses patterns

from AMCL are left in the cache

• Attack program access the cache and infer AMCL accesses through timing– Prime+probe

CPU

Cache

Memory owned by AMCL

Memory owned by attacker

AMCL Attack program

Main memory


Cornell University

10

Cache Prime+Probe• For each prime+probe trial

– Probe each cache set and

record the probing time

– High probing time (dark

cell) à cache set

accessed by a victim

– #dark cells à #AMCL

samples

• ML model to predict number

of samples

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Prime+probe trial

123456789

10111213141516

Cache set index

Probing Time (cycles)

50

100

150

200

250

300

350

400

450

500

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Prime+probe trial

123456789

10111213141516

Cac

he s

et in

dex


50

100

150

200

250

300

350

400

450

500

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Prime+probe trial

123456789

10111213141516

Cac

he s

et in

dex


50

100

150

200

250

300

350

400

450

500...

...C

ache s

et in

dex (

1-6

4)

Prime+probe trial

...

...

Cornell University

11




Attack Outline


ML

Mem

ory

acce

ss

Sens

or

input Pred

icted

route#AM

CL

sam

ples


Cornell University

12

ML Model: #AMCL Samples Predictor• Formulated as a binary

classification problem– Input: a window of cache

probing time matrix– Output: two classes {High,

Low} representing the number of samples

– RUSBoost1 binary predictor is used

Cac

he s

et in

dex

1

64

…

Window size

…5 6 4……2 1 4……3 4 5……3 2 1……5 5 5……..…1 2 5… N

umbe

r of s

ets

Num

ber o

f sam

ples

time

time

High

Low1.C. Seiffert, et al., "RUSBoost: Improving classification performance when training data is skewed," 2008 ICPR.

Cornell University

13




Attack Outline


ML

Mem

ory

acce

ss

Sens

or

input Pred

icted

route#AM

CL

sam

ples


Cornell University

14

ML Model: Route Predictor• Formulated as a

classification problem– Input: a series of {High,

Low} which indicates the number of samples

– Output: label of the route– Decision tree/forest is

used

Low

High

6

8

9Low

High

HighLowLow

8

time

3

High

High

Low

Num

ber o

f sa

mpl

es


Cornell University

15

Evaluation: Datasets• Two datasets used

– Gazebo/ROS1

• Simulated robot in a maze – Oxford2

• Data collected on a car driving around Oxford, UK

• Processors for evaluation– Intel i5-3317u, and Intel Xeon E5-

1270 (recommended by Apollo3)1. http://gazebosim.org/2. https://robotcar-dataset.robots.ox.ac.uk/3. https://apollo.auto Oxford

Gazebo/ROS simulation maze

http://gazebosim.org/

https://robotcar-dataset.robots.ox.ac.uk/

https://apollo.auto/

Cornell University

16

• 7 randomly-selected routes with similar lengths

• Perform route prediction using L1D or LLC probing data

– Accuracy: L1D: 81.4%, LLC 75%

Evaluation: Route Prediction - Gazebo

Maze and 7 routes L1D prediction results LLC prediction results

Cornell University

17

• 7 routes with similar lengths from the Oxford dataset

• Perform route prediction using L1D or LLC probing data

– Accuracy: L1D: 74.6%, LLC 73.0%

Evaluation: Route Prediction - Oxford

Oxford dataset and

seven routes

L1D prediction results LLC prediction results

Cornell University

18

• Evaluation: Host-client testbed architecture (Section 5.1.1)

• Location prediction (Section 5.3.2)

• L1D & LLC comparison (Section 5.3.3)

• Discussion (Section 6)

– Processor architecture (Section 6.1)

– Generality of the vulnerability (Section 6.2)

– Limitations of the attack model (Section 6.3)

– Difficult-to-predict routes (Section 6.4)

More In the Paper…

Cornell University

19

• We identified CPS as victim that can expose physicalprivacy information

• We showed adaptive algorithms in CPS are vulnerable to cache side-channel attack

• We demonstrated a concrete example of cache side-channel attack on autonomous vehicles for route prediction

• Cache side-channel protection necessary for strong CPS physical privacy

Conclusion

Cornell University

20

Thanks for [email protected]

Stealthy Tracking of Autonomous Vehicles with Cache Side ... · Stealthy Tracking of Autonomous...

Documents

Transcript of Stealthy Tracking of Autonomous Vehicles with Cache Side ... · Stealthy Tracking of Autonomous...